c/ietf-wimse-ect
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
35 Commits 1 Branch 1 Tag
eb79c6998a36fe06ce25c80eff3555e24a496d87
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Christian Nennemann eb79c6998a Apply comprehensive review fixes to draft-nennemann-wimse-ect-01 
Critical fixes:
- Add RFC 2119/8174 to normative refs, move RFC 9449 to normative
- Rewrite level detection algorithm with precise parsing order
  (JWS first, then base64url-decode for L1)
- Add downgrade attack analysis and minimum-level policy requirement
- Complete application/wimse-exec+jwt IANA registration template
- Fix bare draft-00 citations, fix I-D reference anchor format
- Rewrite abstract to remove changelog language

Medium fixes:
- Add jti replay check to L1 verification procedure
- Add L3 async failure handling (notify downstream, treat as L2)
- Add L3 sync timeout retry/fallback guidance
- Add identity binding security subsection (JWK caching, OCSP
  failure policy, trust bundle refresh)
- Add audit ledger threats subsection (availability, split-view,
  receipt authenticity, async gap)
- Collapse redundant Section 9 into HTTP Error Handling
- Remove redundant L3 verification steps for iss/aud
- Add L2 use case (multi-vendor SaaS document pipeline)

Low fixes:
- Strengthen ext object limits from SHOULD NOT to MUST NOT
- Add level negotiation future work note
- Document L1 DAG validation limitation without ledger
- Add alg=none defense-in-depth note
- Strengthen self-assertion limitation for L1
- Add workflow topology leakage to privacy considerations
- Add cross-workflow correlation to privacy considerations
- Add RATS (RFC 9334) to related work
- Expand SCITT comparison with L3 audit ledger parallel
- Pin SPIFFE reference to specific version URL
- Clean up redundant {:numbered="false"} in back matter

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 19:58:04 +01:00
refimpl
Restructure refimpl into go-lang and python subdirectories
2026-02-25 23:11:55 +01:00
.gitignore
Restructure repo: single source file with git tags for versioning
2026-03-06 19:20:38 +01:00
blog-ect-assurance-levels.md
Add draft-nennemann-wimse-ect-01 with assurance levels and identity-framework agnostic design
2026-03-01 23:04:12 +01:00
build.sh
Restructure repo: single source file with git tags for versioning
2026-03-06 19:20:38 +01:00
draft-nennemann-wimse-ect.md
Apply comprehensive review fixes to draft-nennemann-wimse-ect-01
2026-03-06 19:58:04 +01:00
README.md
Add WIMSE ECT reference implementation (Go)
2026-02-24 22:05:30 +01:00

README.md

Execution Context Tokens for Distributed Agentic Workflows

This repository contains draft-nennemann-wimse-execution-context-00, an IETF Internet-Draft proposing Execution Context Tokens (ECTs) as an extension to the WIMSE (Workload Identity in Multi System Environments) architecture.

What are ECTs?

ECTs are signed JWT tokens that record what agents did, in what order, and under what policy -- complementing WIMSE's existing answer to who an agent is.

They provide:

  • DAG-structured execution proofs -- task dependencies form a directed acyclic graph with cryptographic ordering guarantees
  • Policy checkpoint recording -- each decision point records which policy was evaluated and the outcome
  • Immutable audit trails -- ECTs are appended to a storage-agnostic audit ledger
  • WIMSE integration -- same signing keys, algorithms, and SPIFFE-based identifiers as WIT/WPT

Target environments include medtech (FDA audit trails), finance (transaction record-keeping), logistics, and other regulated agentic systems.

Repository contents

File Description
draft-nennemann-wimse-execution-context-00.md The Internet-Draft in kramdown-rfc markdown format
master-prompt.md Design rationale, iteration plan, and reference material
refimpl/ Reference implementation (Go): ECT create/verify, DAG validation, in-memory ledger, and a two-agent demo. See refimpl/README.md.

Building the draft

The draft is authored in kramdown-rfc markdown and compiled via the standard IETF toolchain.

Prerequisites

# Ruby (kramdown-rfc is a Ruby gem)
# On macOS with Homebrew:
brew install ruby

# kramdown-rfc
gem install kramdown-rfc

# xml2rfc (Python tool for rendering)
pip install xml2rfc

Compile

# One-step build (markdown -> XML -> text + HTML)
kdrfc draft-nennemann-wimse-execution-context-00.md

# Or step by step:
kramdown-rfc2629 draft-nennemann-wimse-execution-context-00.md \
  > draft-nennemann-wimse-execution-context-00.xml

xml2rfc draft-nennemann-wimse-execution-context-00.xml --text
xml2rfc draft-nennemann-wimse-execution-context-00.xml --html

Output files

After building, you will have:

  • draft-nennemann-wimse-execution-context-00.xml -- canonical XML (for IETF datatracker submission)
  • draft-nennemann-wimse-execution-context-00.txt -- plain text rendering
  • draft-nennemann-wimse-execution-context-00.html -- HTML rendering

Submitting to the IETF

Upload the generated .xml file at https://datatracker.ietf.org/submit/

Author

Christian Nennemann Independent Researcher ietf@nennemann.de

License

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 1.1 MiB
Languages
Go 52.5%
Python 46.3%
Shell 1.2%